In a concerning turn of events, the Pidgin messaging app was the unfortunate host of a malicious plugin that compromised user security.
The plugin, named ss-otr (ScreenShareOTR), was initially added to Pidgin’s third-party plugin roster on July 6th; unbeknownst to users and developers, it harbored harmful components.
The alarming discovery was made on August 16th when an alert was raised by the user, who reported that the plugin contained a keylogger and was capable of capturing screenshots to send to unauthorized parties.
This report prompted immediate action from the Pidgin team, who promptly removed the plugin from their listing and began an in-depth investigation into the breach.
Subsequent verification on August 22nd confirmed the presence of the keylogger, cementing the plugin’s status as a significant security threat. Users who have installed ss-otr are strongly advised to remove it from their systems immediately.
Interestingly, at the time of its approval, the ss-otr plugin provided only binary files for download, with no source code availableโa detail that went overlooked but highlighted a critical oversight in the vetting process.
In response to this incident, the Pidgin team has announced new measures to bolster security for its plugin ecosystem. Moving forward, all plugins must be accompanied by an OSI Approved Open Source License, and thorough due diligence will be conducted to ensure the safety and reliability of the plugin for users.
Yes, I know Pidgin isn’t as popular as it was a decade ago, but it’s still being supported. So, if you’ve bet on it, review the plugins you use. For more information, refer to the announcement.
